The results of the first day of the traditional Pwn2Own hacking contest at the CanSecWest Conference currently taking place in Vancouver are in, and the losers are Adobe, Microsoft and Mozilla.
The team from French security firm and vulnerability/exploit vendor Vupen have raked in $300,000 by cracking Adobe Reader ($75,000), MS Internet Explorer 11 ($100,000), Adobe Flash ($75,000), and Mozilla Firefox ($50,000).
Firefox was compromised two more times on the same day by security researchers Mariusz Mlynski and J??ri Aedla, each of whom received the $50,000 prize.
“We’ve pwnd Adobe Reader XI with a heap overflow + PDF sandbox escape (without relying on a kernel flaw),” Vupen commented on its Twitter account. “We’ve pwnd IE11 on Win8.1 using a use-after-free combined to an object confusion in the broker to bypass IE sandbox.”
It’s interesting to note that Hewlett-Packard’s Zero Day Initiative (ZDI) – the organizers of the event – changed some of the contest rules almost at the last minute, and the most important one is that everyone who succeeds to crack one of the targets will be rewarded, and not just the first team or individual who manages it. Of course, the vulnerabilities/exploits must be different.
“It was fascinating seeing the different ways that researchers are bypassing sandboxes and the ways they chained multiple vulnerabilities,” ZDI manager of vulnerability research Brian Gorenc commented the day’s results.
Before the contest started, Google’s and ZDI’s team participated in Pwn4Fun, a separate event that ended in the successful exploitation of a number of recently discovered vulnerabilities in Safari and IE. The prizes ($82,500 in total) were donated to the Canadian Red Cross.
Also on Wednesday, the first day of the Google-sponsored Pwnium contest ended with one researcher exploiting Chrome OS on an HP Chromebook 11, winning both the notebook and a prize of $150,000. The contest continues on Thursday.
Pwn2Own continues, and the scheduled “attacks” are against Safari, IE, Firefox, Flash and Chrome. Unfortunately, there are no scheduled contestants for the spectacularly announced Exploit Unicorn multi-product event.